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Abstract — A conjugate code pair is defined as a pair of linear 
codes eitiier of wiiicii contains tlie dual of the otlier. A conjugate 
code pair represents the essential structure of the corresponding 
Calderbank-Shor-Steane (CSS) quantum code. It is known that 
conjugate code pairs are appUcable to (quantum) cryptography. 
We give a construction method for efficiently decodable conjugate 
code pairs. 

Index Terms — conjugate code pairs, quotient codes, concate- 
nation, syndrome decoding, achievable rates. 

I. Introduction 

A conjugate code pair is a pair of linear codes (Ci,C2) 
satisfying the condition C Ci, where denotes the 
dual of C. This paper treats the issue of constructing a 
conjugate code pair (Ci,C2) such that either Ci or C2 
(more precisely, either CijC^ or C^IC^; see Section El} are 
efficiently decodable. Namely, we give a construction method 
for efficiently decodable conjugate code pairs. Motivations for 
constructing such pairs are given in [1], [2], [3], [4], [5] and 
briefly described below. 

In the past decades, great efforts have been made to extend 
information theory and its ramifications to quantum theoretical 
settings. In particular, after a proof of the 'unconditional' 
security of a quantum key distribution (QKD) protocol [6] was 
given [7], it was observed [1] that the structure of Calderbank- 
Shor-Steane (CSS) codes [8], [9] had been used implicitly 
in the QKD protocol. Moreover, it was argued [1] that the 
security of the QKD protocol could be proved by bounding 
the fidelity (a performance measure, which parallels the prob- 
ability of successful decoding) of CSS codes underlying the 
protocol. 

CSS codes are a class of algebraic quantum error-correcting 
codes, called symplectic codes, or stabilizer codes [10], [11], 
[12]. The term conjugate code pairs or conjugate codes [4] is 
almost a synonym for CSS codes if one forgets about quantum 
mechanical operations for encoding or decoding and pays 
attention only to what can be done in the coding theorists' 
universe of finite fields. Namely, a CSS code is specified by 
a conjugate code pair (Ci, C2).' 

It is known that if codes C\ and C2 are both good, the 
CSS quantum code specified by C\ and C2 is good, and 
hence, the cryptographic code or QKD protocol resulting from 
(Ci, C2) is good in view of security and reliability (probability 
of successful decoding). In this context, either C\ or C2 should 

'The bridge between the coding theorists universe, the vector space F^" 
over a finite field , and quantum mechanical worlds that are represented by 
Hilbert spaces is Weyl's projective representation A' of F^", which maps a 
vector in F^" to a unitary operator on a -dimensional Hilbert space [13]. 
In fact, a symplectic code is a simultaneous eigenspace of a set of commuting 
operators that can be written as N{S) or Ng, the image of 5 C F^", and a 
CSS code is such that S is specified by a conjugate code pair (Ci, C2) via 
S = {[u,v] I -u G C^,v G C^} in the notation of [5], [4], [3]. 



be efficiently decodable because only one of the two codes is 
used for transmission of secret data. 

It may be interesting that only the 'structure of CSS codes 
is used in the QKD protocol above mentioned. In other words, 
what is used in the QKD protocol is not a quantum code 
but a reduced form of a CSS code, and this reduced form 
is a linear error-correcting code. More precisely, this is a 
quotient code [5] of the form Ci/C^, which will be explained 
shortly. This can be viewed as an error-correcting code that 
can protect information from eavesdroppers. Quotient codes 
fall in the class of coding systems devised in a similar but 
classical context in [14], though we have arrived at this notion 
through a different path, i.e., through explorations on quantum 
cryptography [6], [1], [7], [3]. (The adjective 'classical' will 
sometimes refer to not being quantum theoretical.) We remark 
that as is implicit in [3] and explicit in [4], quotient codes 
can be used as cryptographic codes that are more general 
than QKD schemes. (General cryptographic codes allow direct 
encoding of secret data, whereas the aim of key distribution 
is to share a random string between remote sites.) 

In [8], [3], the existence of good CSS codes was proved 
by random coding. In particular, the rate 1 — 2h{p), where h 
denotes the binary entropy function, was called the Shannon 
rate in [1] and proved achievable in [3]. However, these codes 
do not have a rich structure that allows efficient decoding. In 
this paper, we consider the issue of constructing efficiently de- 
codable conjugate codes. Our approach is that of concatenated 
codes [15], by which we establish that the rate 1 — 2h{p) is 
achievable with codes of polynomial decoding complexity. 

Besides applications to cryptography, our construction gives 
quantum error-correcting codes superior to those known [16], 
[17], [18]. 

We remark another major approach, i.e., that of low density 
parity check codes had already been taken to construct CSS 
codes [19]. However, the present work is different from [19] 
in that the decoding error probability is evaluated without 
approximation or resort to simulation. 

This paper is organized as follows. In Section |lll we 
introduce quotient codes and conjugate codes. In Section [TTTl 
concatenated conjugate codes are defined. In Sections II VI and 
fVl methods for decoding are described. The performance 
of concatenated conjugate codes is evaluated in Section IVII 
Section IVIII contains discussions and remarks. Section IVIIII 
contains a summary. An appendix is given for proving a 
fundamental lemma, on which our construction is based. 

II. Quotient Codes and Coniugate Codes 

We fix some notation. The set of consecutive integers {1,1 + 
1, . . . , to} is denoted by [I, m]z- We write B < C, or C > B, 
if _B is a subgroup of an additive group C. We use the dot 
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product defined by (a;i, . . . , a;„) • (2/1, ... , y„) = YJi=i ^iVi 
on F", where F is a finite field. For a subset C of F", 
denotes {y e F" | Vx e C, a; • y = 0}. A subset C of F" is 
called an [n,k] code if A: = logipi |C|. As usual, [aj denotes 
the largest integer a' with a' < a, and \a] = — [— aJ . The 
transpose of a matrix A is denoted by A*. 

First, we explain quotient codes introduced in [5]. The 
aim of [5] was to exhibit the essence, at least, for algebraic 
coding theorists, of algebraic quantum coding, and this attitude 
was retained to introduce the notion of conjugate codes [4]. 
Throughout, we fix a finite field ¥q of q elements. We will 
construct codes over F^. 

A quotient code of length n over Fg is an additive quotient 
group C /B with i? < C < F^. In the scenario of quotient 
codes in [5], the sender encodes a message into a member c 
of C /B, chooses a word in c according to some probability 
distribution on c, and then sends it through the channel. 
Clearly, if C is a J-correcting ( J C V^) in the ordinary sense, 
C /B is (J + i?) -correcting (since adding a word in B to the 
'code-coset' c does not change it). The (information) rate of 
the quotient code C /B is defined as n^^ log^ |C|/|i?|. 

We mean by an fc]] conjugate (complementary) code 
pair, or CSS code pair, over Fg a pair (Ci,C2) consisting 
of an [n, fci] linear code Ci and an [n, linear code C2 
satisfying 

C^<Cu (1) 



which condition is equivalent to < C2, and 

k — ki + k2 — n. 



(2) 



If Ci and C2 satisfy Q, the quotient codes Ci/C^ and 
C2/C1 are said to be conjugate. The number fc/n is called 
the (information) rate of the conjugate code pair (Ci, C2), and 
equals that of C1/C2 and that of C2/C1. 

The condition Q is equivalent to that and C2 are 
perpendicular to each other. Here, with two codes C and C" 
given, we say C is perpendicular to C and write 

C_LC" 

if a; • y = for any a; G C and y G C". Note that C _L C" if 
and only if (iff) C <C^, or equivalently, iff C < C"^. 

The goal is to find a conjugate code pair (Ci, C2) such that 
both C1/C2 and C2/C1 have good performance. If the linear 
codes Ci and C2 both have good performance, so do Ci / 
and C2IC1. Hence, a conjugate code pair (Ci, C2) with good 
(not necessarily a technical term) Ci and C2 is also desirable. 
The details may be found in [4], [5] or in the other literature 
on CSS codes. 

III. Concatenated Conjugate Codes 

Forney [15] invented a method for creating error-correcting 
codes of relatively large lengths by concatenating shorter 
codes. We bring Forney's idea into our issue of constructing 
long conjugate codes. 

Lemma 1: Assume (Ci , C2) is a conjugate code pair having 
the parameters as above, and 

Ci =C2^+span{yi,...,gfc}. 
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Fig. 1. A basic structure of an [[n,fc]] conjugate code pair 



Then, we can find vectors , . . . , g^. such that 



C2 = + spd,r\ {g[, . . . , g'k} 



and 



9l-9ni= (>lr. 



where 5im is the Kronecker delta. 

Proof. We see this from Fig. ^ In fact, if Ci 



span {gi, . . . , < F^ and H2 is a full -rank parity check 
matrix of C2, we have an invertible matrix. A, as depicted 
at the left-most position of Fig. \l\ Of course, we have its 
inverse A^^, which is depicted next to A in the figure. Write 
g[^, . . . , g'f} for the (n — fc2 + l)-th to fci-th columns of A~^. 
Then, we see that gi ■ g'j^ ~ 5im and the last n ~ ki columns 
of the second matrix are perpendicular to the [n, fci] code Ci. 

□ 



Let {C['\C^2')' « e [l,N]z, be [[nW,fc]] conjugate code 
pairs over F,, where Ci and C2 are [n^^\ fcj*''] and ^2*''] 
codes, respectively, with 

Assume ^l'-* and .g;'*-*, I G [l,fc]z, satisfy the conditions in 
Lemma [0 In particular. 



-,(■0 



(3) 



The field F^t is an Fg-linear vector space, and we can take 



bases and {/3j)j^i that are dual to each other with 

respect to the Fg-bilinear form (e.g., [20], [21]) defined by 

f : F,. X Wgk ¥q, 

(x,y) TrF_^,/F,xy. 

In particular-, f(/3;, /3^) = (5;,„. 

Now we can define a pair of maps that preserve the bihnear 
form (inner product) as follows. Let 



and cj''' denote spanjgi' 
the concatenated vector {y\ 



E 

i 



^span{5«,...,y«}:^CrVC 
j 



±(^) 
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,9k^}- Let etiy^'^^ denote 
•y«)GFP-""' foryW = 
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{yt\--- ^y%) e Vf\ I e [l,7V]z, and 0^1 ^^^^ denote 
the set of those vectors 0^^^ with y(') e A'-''> < Pf\ 
iG[l,iV]z. 

We can compose a larger map applying ttJ*'' to the i-th 



coordinate of a vector in ¥ \ : 



N . 

N 



-1 ■■ K^^^^i'^ 



1=1 

N N 

1=1 j 1=1 j 

Similarly, we define 



N 



7r2 



F 



N 
N 



02 , 



1=1 



TV 



eE-f/^-eE-^;^^^- 

1=1 j 1=1 j 

Then, for x = {x^^\ . . . ,a;(^)) and y = {y^^\ . . .,y^^^) 
with 

xW=^xf^, and yW=^yf/3j, 
j j 



we have 

T%fc/F, a^-y = 7ri(a;) • 7r2(y). 
This can be seen by noting 

= f(E-f/^.Eyf/3;) 



(4) 



E(0 



= ,<"(x»).4«(sl')) 

and taking summations of the end sides over i e [1, N]z- 

Definition 1: The concatenation (or concatenated conjugate 
code pair made) of conjugate code pairs (c\^\ over Fg, 
i G [l,N]z, and an [[A^, i^T]] conjugate code pair {Di,D2) 
over Fgfc is the [Et=i ^-^1] conjugate code pair 

over ¥q, where 



N 



TO = 1,2. 



If (c{*\ C'2*'') is identical to a fixed [[71, k]] conjugate code 
pair (Ci,C2), it is called the concatenation of (Ci,C2) and 
{Di, D2). It is an [[niV, kK]] conjugate code pair The codes 
cf' , cf' are sometimes called inner codes, and Di , D2 outer 
codes. 



Theorem 1: 



['Kl{Di)+C^]^ =1T2{D2)+Ct 



Corollary 1: The concatenated conjugate code pair in Def- 
inition [2 can be written as 

(^Ipl)+C^,7r2p2) + Cf). 



Proof. It is enough to prove the second equality by virtue 
of the symmetry. First, we show 

[lT2{Di)+Ci]^>TTl{Dl)+C^, (5) 

which is equivalent to 

The code ni{Di) is perpendicular to tt2{Di ) by 0, and to 
Ci trivially. Similarly, Cij is perpendicular to TT2{Dj-). By 



the CSS property ([0, C2 and Ci'^ are perpendicular to 
each other, and hence, is perpendicular to C^. 

Thus, we have (|5}- Since dimF^ [7r2(-Dj'") + C^] 



= E 



N 



dimf, [7ri(L»i 
hence, the corollary. 

Note that a generator matrix of n2{D^ 
the form 



we have the lemma. 



and 

□ 



over ¥q has 



H 



(1) 



O 
C!'i.i 



O 



iff) 

o 

G"l,2 



o 



G' 



A/.l 



G 



Af,2 



G' 



M,N. 



(6) 



where ijj*'' is a parity check matrix of c[^\ O is the zero 
matrix (whose size may vary from place to place), M — N — 
Ki (Ki is the dimension of Di), and for each G'j ^ is 

an n^*) x k matrix whose rows are spanned by 5;'*-'. Hence, 
by Theorem n (|6j is a parity check matrix of tti{Di) + G^. 

IV. Decoding Strategy for Concatenated 
Conjugate Codes 

We investigate correctable errors of the concatenated quo- 
tient codes L1/L2, where Li = 7ri(_Di) + C2 and L2 = 
[■7^1(02) + G^]^ = 7r2(L'2) + Gf, under the scenario of 
quotient codes described in Section |ll| or in [5]. This is a half 
of the conjugate code pair {Li/ L2 , L2/ Lj^), and the other 
half, having the same form, can be treated similarly. 

We remark that in known applications of conjugate codes, 
i.e., for CSS quantum codes and cryptographic codes as in 
[1], [3], [4], the decoding should be a syndrome decoding, 
which consists of measuring the syndrome, estimating the error 
pattern, and canceling the effect of the error 

We decode the code in the following two stages. 
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1) For each of the inner quotient codes c'f^ /C2 \ we per- 
form a syndrome decoding (as described in Sections 2 
and 3 of [5] for preciseness). 

2) For the outer code Di, we perform an efficient decoding 
such as bounded distance decoding. 

For efficient decoding, the outer code Di should allow a 
decoding algorithm of polynomial complexity in N . Assume 
n(*) = n for all i for simplicity. Then, if > q^^ and k/n 
r as n ^ oo, where t > and r > are constants, the 
concatenated conjugate codes L^jL^ can be decoded with 
polynomial complexity in N , and hence in the overall code- 
length riN . Generalized Reed-Solomon (GRS) codes [21] are 
examples of such codes. 

Now assume the sender sent a word x G (F^)^, x suffered 
an additive error e = (ei,...,eAr) G (F^)^, and the receiver 
received a word y — x + e G (F^')^. Using the upper half of 
the parity check matrix in (|6j, where ijl'-* are involved, the 
receiver decodes the inner quotient codes. Namely, receiver 
estimates e^, and subtract e = (eTi, . . . , cat) from y, where 
e,; is the estimate of e^, which is a function of the measured 
syndrome. The decoding error for Cj^^^/Cj*"*^ occurs only if 
Ci is outside J — J + C2 , where C{ is J-correcting. At 
this stage, the received word y can be changed into the interim 
estimate 

y' — y — e — x + {e — e). 

We employ bounded distance decoding here for simplicity, 
though other schemes for classical concatenated codes, such 
as generalized minimum distance (GMD) decoding [15], are 
also applicable. Then, the error e is correctable if e is such 
that the number of inner codes with erroneous decoding (the 
number of i with 7^ e^) is less than b, where we assume the 
outer code Di is 6-error-correcting. 

The decoding for the outer code should be done based on 
the latter half of the syndrome that comes from the lower half 
of the parity check matrix in (|6j. This is possible as will be 
argued in Section IV-BI 

V. Syndrome Decoding for Concatenated 
Conjugate Codes 

A. Preliminaries on Codes over Extension Fields 

If b = {l3j)j^i is a basis of Fq-linear vector space ¥^k, any 
element ^ G F^^fc can be written as 

C = XiPi H 1- XkPk- 

The numerical row vector (xi, . . . ,Xk) obtained in this way 
is denoted by (fihiO- Our arguments to be given rely on the 
next lemma. 

Lemma 2: There exists a triple {ip,(p',^) that consists of 
three bijections (p -.Wgk ^ F^, ip' : W^k F^, and $ : F^t 
F^'^*^' (the set of fc x fe matrices over F^) with the following 
properties, (i) ip = (fib and ip' = ipt,' for dual bases b and b'. 
(ii) We have 

and 



for any G Fj. 

Remark. In fact, we can show the stronger statement that 
whenever b and b' are dual bases, for some $, the condition 
(ii) of Lemma 12 holds with (p ^ ipi, and ip' ~ ip^'. 

A proof of the lemma and its remark, together with concrete 
forms of {ip,ip',^), is included in Appendix |I] The fact in 
Lemma |2l with 'ip'iO^i^.') = 'f'i^CY absent, has often been 
used in implementing codes over extension fields. 

Suppose we have an [N, K] linear code D over F^t . This 
can be used as a [kN, kK] linear code D' over Fg if we apply 
some Fg-linear map from Fgt onto F^ to each symbol of D. 
Then, what is the parity check matrix of D'l 

Let iJ be a parity check matrix of D. We extend the domain 
of (p [(p'} to F^fc, where M is a positive integer, in the natural 
manner: We apply (p [1^'] to each symbol of a word x G F^^, 
and denote the resulting fcM-dimensional vector over Fg by 
(^(x) {(p'lx)}. Our problem is to find a matrix H' such that 

xi/* = ^ ip{x)H'^ = 0, 

where is the zero vector. This will be accomplished if we 
find a matrix H' such that 

ifixH') ^ ip{x)H'\ xeW^k. (7) 

Let H = [hij] with hij G F^t. Then, Q holds for the 
matrix H' ~ with $ as in Lemma|2] This is a direct 

consequent of the first equation of condition (ii) of Lemma |2 
which can be rewritten as = fi^S,')- In particular, 

we have, for H' = [<i>(/iy )], 

^{D) = {y G F^-^ I yiJ'* = 0}. (8) 

This simple logic also works if the pair ($, (p) is replaced 
by i'^\(p'), where is defined by <I>*(f) = $(^)*, C £ F,*, 
since (p') has a property of the same form ^{CY'P'iO^ — 
ip'i^CT- Hence, 

(^'(xff*) = p>\x)H"\ X G Ff. (9) 

where H" = mh.jf]. 

B. Syndromes of Concatenated Quotient Codes 

Recall we have fixed two bases b = and b' = 

that are dual to each other in constructing concate- 
nated codes. Now we easily see G'j j in (|6j are obtained 
from a parity check matrix H of Di as follows. We can use 
the arguments in Sections IV- Al putting H' = with 
D = Di. We replace each row 77 = (771, ... , iji^ii) ) of ^{hji) 
by 

/ , 'Imym ^ 
m— 1 

and set the resulting fc'^*-' x n'^*-' matrix equal to G'j i G 
[l,iV]z, jG[l,M]z. 

With the parity check matrix in (|6j and G'j , constructed as 
above, the latter half of the syndrome is the same as 



ip{x)H'^ 
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by Q, where = tpb- Hence, known procedures to estimate 
the error pattern from the syndrome for Di can be used to 
decode 7ri(Z?i). 

Note also that the parity check matrix of 7ri(Z?i) + thus 
obtained is a generator matrix of its dual 'K2{Di) + Ci . Since 
Li and L2 have the same form, generator matrices of them 
are obtained similarly. 

VI. Performance of Concatenated Conjugate 
Codes 

We evaluate the performance of concatenate conjugate codes 
used on additive memoryless channels, employing the bounded 
distance decoding as in Section Hvl for simplicity. Though the 
resulting bound on the decoding error probability apparently 
admits of improvement in exponents by GMD decoding [15, 
Chapter 4], we do not pursue optimization of attainable 
exponents staying at the issue of establishing achievable rates. 

We know the existence of the sequence of [[n, k]] conjugate 
code pairs (Ci,C2) over whose decoding error probabili- 
ties, say. Pi for Ci/C^ and P2 for the other, are bounded by 

P = niax{Pi,P2} < a„g-"-^('''=). (10) 

Here, 

Tc = — - — , where r„ = - (11) 

2 71 

and a„ is polynomial in n [3], [5]. This bound is attained 
by codes such that ki = k^ [3], [5], [16], [18]. Note (O 
is a rewriting of (|2j with k\ = k^, and is the rate fci/n 
of C\ when it is viewed as a classical code. The exponent 
E{rc) can be understood as the random coding exponent (or 
it may be whatever is attainable by conjugate codes, e.g., 
max{£'i.(P, Tc), E'cxlP, Tc + o(l))} in [5, Theorem 4], which 
can also be attained by codes in [3], [16], [18]). 

We use (Ci, C2) as above for inner codes, and generalized 
Reed-Solomon codes for outer codes Di and D2 of the 
same dimension Ki, and evaluate the concatenation {Li,L2) 
of (Ci,C2) and {Di,D2) as described in Section lllll We 
consider an asymptotic situation where both N and n go to 00, 
Rc — Ki/N approaches a fixed rate R*, and j'c approaches a 
rate r*. The decoding error probability Pcj of Lj/ Lj, where 
1 — 2 and 2 = 1, is bounded by 

N 
i=b 

< qb\os^P, + (N-b)\og^{l-P,) + Nh(h/N) 

where h is the binary entropy function, and b = \{N — 
Ki)/2\ + 1 (for the second inequality, see, e.g., [22, p. 446]; 
slightly weaker bounds can be found in other books on infor- 
mation theory). Taking logarithms and dividing by No — nN , 
and noting ( I10> . we have 

1 for loe„ a„ 1 

+ l^log^{l-P^) + ihib/N) 



for j — 1,2. Hence, the decoding error probability P^ of the 
concatenated code pair {Li,L2), which is defined by P^ — 

maxjPc i, Po,2}, satisfies 

limsup--^log Po > l-msix{l- R*)E{r*). 

This attainable exponent is the same as that discovered by 
Forney [15, Chapter 4] except the maximization range to be 
explained. Converting the rates into those of quotient codes 
by ([11}, namely, by r* = (r + l)/2 and R* = {R+ l)/2, we 
have the next theorem. 

Theorem 2: Assume we have a sequence of [[n, k]] conju- 
gate codes attaining an error exponent £'((1 + ''q)/2) as in 
( I10> . Then, there exists a sequence of [[A'oj/^o]] conjugate 
code pairs {Li,L2) of the following properties, (i) The rate 
Kq/No approaches a fixed number Rq. (ii) The decoding error 
probability Po is bounded by 

limsup --^ log, Pc > J max (1 - R)E{{1 + r)/2) 

where the maximum is taken over {(r, P) | < r < 1, < 
R < l,rP = Po}- (iii) The code Li/L^ and L2/L^ are 
decodable with algorithms of polynomial complexity. 

The attainable exponent, Pl(Po), in the theorem is positive 
whenever E{Ro) is positive. (A way to draw the curve of 
Pl(Po) = maxrfl=fl^(l — R)E^{r) from that of another 
function E^{r) is given in [15, Fig. 4.3].) 

Hence, the achievable rate obtained in [3], which follows 
from the exponential bound in the form dlOt . is achievable by 
codes for which polynomial decoding algorithms exist. For 
the simplest case where q — 2, this rate is written in the form 
1 — 2h{p) with a noise parameter p, which is the probability of 
flipping the bit if the assumed channel is the binary symmetric 
channel (BSC); In short, the achievability comes from that 
both Ci and C2 achieve the capacity of the BSC; By di lb 
or r * = (r + l)/2, the rate r* = 1 — h{p) is converted into 
r = 1 - 2h{p). 

VII. Discussions and Remarks 
A. Related Code Constructions 

A special choice of {Di,D2) and (Ci,C2) in our code 
construction recovers results in [23], [24]. Theorem ^ for 
Cf) = C^^) = F^', n(*) = fc, i e [l,N]z, was observed in 
[23]. If Di = D2 and it is a Reed-Solomon (RS) code in 
addition, our code construction gives the so-called quantum 
RS code [24]. In this case, the inner codes are the [n, n] code, 
not a real code, so that the resulting code of length nN is not 
a real concatenated code. 

Theorem [0 restricted to the case where C^*^ = F^"' and 
k = k^\ i £ [l,N]z, appeared in [25]. 

Concatenated quantum codes are sometimes treated in the 
literature (e.g., [26] and references therein). However, the 
literature has been lacking cryptographic (quotient) codes that 
allow efficient decoding and achieve the rate 1 — 2h{p) [3], 
which has been the (at least, short-term) goal of this issue of 
conjugate, or CSS, codes (e.g., [19]). 
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B. Remarks on Decoding Complexity 

We would need to be careful if we were to argue on efficient 
decoding of quantum codes. In the quantum theoretical setting, 
one natural measure of the complexity is the number of 
primitive unitary operations (quantum gates) needed in a 
decoding process. This is not the concern of this paper 

We evaluated the decoding complexity of cryptographic 
(quotient) codes, which uses only classical information pro- 
cessing [14]. We remark in known applications of quotient 
codes to quantum cryptography, we need quantum mechanical 
devices only for modulation [1], [3], [4]. 

C. Constructibility 

Though we have emphasized the efficiency of decoding, our 
method of concatenation is also effective for constructibility. 
A polynomial construction of codes that achieve the rate r — 
1 — 2/i(p) is given in [16], [18]. The minimum distance of 
constructive concatenated conjugate codes obtained with our 
method is larger than those known [17], [18]. 

We remark that our evaluations on the reliability of con- 
jugate code pairs (LijL-z) has direct implications on the 
reliability of the CSS quantum codes specified, as in the 
footnote in Section |l] by {Li,L2), which are involved with 
quantum mechanical operations: The fidelity of the CSS code 
is lower-bounded by 1 — Pc,i — Pc,2 (see, e.g., [4], [5]). 

VIII. Summary and Concluding Remarks 

We brought Forney's idea of concatenating codes into our 
issue of constructing long conjugate codes. The main technical 
issue resolved is to concatenate conjugate code pairs retaining 
the constraint < Ci. It was shown that the so-called 
Shannon rate 1 — 2h{p) of CSS-code-based cryptographic 
codes is achievable with codes that allow polynomial decod- 
ing. Furtherance would be found in [16], [17], [18]. 
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Appendix I 
Preliminaries on Extension Fields 
A. Companion Matrix 

We begin with treating the basis a = (a"'~^)j=i with a 
being a primitive element of V^k . We also use the following 
alternative visual notation for in the case of b = a. 



Co 



a- 



Let g{x) = ~ gu-i^ 



fc-i 



gix — go be the minimum 



polynomial of a over ¥q. The companion matrix of g{x) is 



T = 



90 
9k-i 



where Ofc_i is the zero vector in F^' ^, and Ik-i is the (fc 
1) X (fc — 1) identity matrix. Note that 



T = 



a 



Then, we have 



Ta'^a'+\ i e [0, g'^ - 2]z. 



Proof of iTTil. Let i^a(a*) — {xi, ■ ■ ■ ,Xk)- Then, 



(12) 



(13) 



x-ja-' 



by J12t . The right-hand side can be written 

as E2=ia;j<^a(a^')* = MT,]=i^j'^^Y 
fa{'^J2j=i Xja^~^y = (pa{aa^y, completing the proof. □ 

We list properties of T, all of which easily follow from ( I13t . 
By repeated use of (I13> . we have 



(14) 



for i,j S [0, q'' — 2]z. This implies 



and hence. 



ze[0,g'=-2]z (15) 



and 



(16) 
(17) 



with I satisfying a' + — a'. 
To sum up, the map defined by 



<i>,:a'^T\ i G [0, - 2]z, 
and $a (0) = Ok (zero matrix) is an isomorphism by (I16> and 

*a(^)$a(?') = *a(en, (18) 
$a(0+1>a(e') = *a(e + n- (19) 

By (HU, for any G FJ, 



(20) 



B. Dual Bases 



In what follows. Try ^/f will be abbreviated as Tr. Let 
- (/3, )^ti and b' = ° 
to each other. Namely, 



b = i(3j)'j^i and b' = (Pj)j=i be bases of F^i- that are dual 



Then, for ^ G F^^, we have [20] 

^b'(0 = (Tr/3ie,...,Tr/3fce). 
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For example, let a' denote the dual basis of a. Then, 

f.'iO = (Tre,TraC,...,Tra^-iO- (21) 
In particular, it follows 

'P.'m.ia = 'p.'m (22) 

for any G F^', which makes good dual properties with 

(Eg. 

Proof of (113. We have 

= TraXO,...,0,<?o) 

+ Tra'+i(l,0,...,0,<7i) + --- 
+ Tra*+'=-i(0,...,0,l,5fc_i) 

= (Tra*+\...,Tra*+'=-\x), 

where 

a; = TrKgo + --- + a'+'=-\gfc-i) 

Hence, 

cp,,{a')T^ip,,ia'+'), (23) 

which is the basic property that parallels il3\ . Applying (I23> 
repeatedly, we obtain i22\ . □ 

C. Proof of Lemma^ 

By (ED, ([19}, (|20} and (|22}, we have a triple ((p,<^',<I>) 
that satisfies the conditions of the lemma. These are ip = ip^, 
ip' = (^3, and $ = $a- 

Other solutions are given in the next subsection. 

D. Change of Bases 

Note i20\ and (I22> can be rewritten as 

[A-1<1>3(0A][A-Va(e')*] = [A-Va(eC')'] 

and 

with an invertible matrix A. These imply that condition (ii) of 
Lemma|2lis also satisfied by {ip,ip\^) with 

$(C) = A-i$3(e)A. (24) 

One may wonder if this newly obtained triple {ip, (p' , $) has 
a relation to (p^ and (p^i associated with a generic pair of dual 
bases (b, b'). It does as we will see below. 

Let b = b' = Recall that a = (a^ = 

'^"'~^)j=i ^nd a' = {a'j)j^i is its dual. We relate b with a by 

i 

and b' with a' by 



Then, 

ipM^^MCY, ^a'(0' = AVb'(0*, 

where A = [Xij] and A' = [A^^]. To retain the duality condition 
Tr/3i/3'„ — Sim, A and A' should satisfy 

A*A'-/fc. 

Hence, {ip,(p') in (I24> is nothing but ((y3b,¥'b')- 

We have also shown the remark to Lemma|2]since the choice 
of b is arbitrary in the above argument. 
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